CVE-2018-1000068

MEDIUM5.3EPSS 0.31%

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

Published: 5/13/2022Modified: 11/8/2023

Description

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Affected packages (1)

Maven/org.jenkins-ci.main:jenkins-corefrom 0, < 2.89.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000068
PATCHhttps://github.com/jenkinsci/jenkins
WEBhttps://github.com/jenkinsci/jenkins/commit/8830d68f5fe21f344be3496984bc4470bfcd0564
WEBhttps://jenkins.io/security/advisory/2018-02-14/#SECURITY-717
WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
WEBhttp://www.securityfocus.com/bid/103101